book

Security Orchestration, Automation, and Response for Security Analysts

Name: Security Orchestration, Automation, and Response for Security Analysts
Author: Benjamin Kovacevic
ISBN: 9781803242910

by Benjamin Kovacevic

July 2023

Beginner to intermediate

338 pages

7h 26m

English

Packt Publishing

Read now

Unlock full access

Security Orchestration, Automation, and Response  for Security Analysts
ForewordContributorsAbout the authorAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedGet in touchShare your thoughtsDownload a free PDF copy of this book
Part 1: Intro to SOAR and Its Elements
Chapter 1: The Current State of Cybersecurity and the Role of SOAR
Traditional versus modern securityThe current state of cybersecurityWhat is SOAR?Summary
Chapter 2: A Deep Dive into Incident Management and Investigation
What are SOC tiers?Understanding incident managementWhy do we need incident management in SOAR?Exploring incident management featuresInvestigating NIST and SANS incident management frameworksPreparationDetection and analysis/identificationContainment, eradication, and recoveryPost-incident activity/lessons learnedIncident tasks – to do or not to doInvestigation starting point – incident investigation pageThe incident investigation processExecute incident prioritizationConduct incident triageDig deeper for better contextDon’t reinvent the wheelUnderstanding threat huntingSummary
Chapter 3: A Deep Dive into Automation and Reporting
An in-depth view of automationWhat should be automated?Automation versus the SOC analystUtilizing the SOC analyst or user input for automationPros and cons of automationAn in-depth view of reportingWhat is reporting and why is it crucial?Are reports the new incident management?What is the proper way to utilize reporting?TI and TVM – how important are they?Summary
Part 2: SOAR Tools and Automation Hands-On Examples
Chapter 4: Quick Dig into SOAR Tools
Microsoft Sentinel SOARIncident managementInvestigationAutomationReportingTI and TVMSplunk SOAR (Phantom)Incident management and investigationAutomationReportingTI and TVMThe administration paneGoogle Chronicle SOAR (Siemplify)Incident managementInvestigationAutomationReportingTI and TVMAdministration paneSummary
Chapter 5: Introducing Microsoft Sentinel Automation
The purpose of Microsoft Sentinel automationAll about automation rulesNavigating the automation rule GUIPermissionsTriggersConditionsActionsRule expiration and orderAll about playbooksNavigating the playbooks GUIPermissionsLogic Apps connectors and authenticationTriggersActionsDynamic contentMonitoring automation rules and playbook healthSummary
Chapter 6: Enriching Incidents Using Automation
Why should you use automation for incident enrichment?Creating your own Microsoft Sentinel trailVirusTotal playbook – IP enrichmentCreating a playbookTesting a playbookVirusTotal playbook – URL enrichmentCreating a playbookTesting a playbookSummary

Chapter 7: Managing Incidents with Automation
Automated false-positive incident closure with a watchlistCreating a playbookTesting a playbookClosing an incident based on SOC analyst inputCreating a playbookTesting a playbookAuto-closing incidents using automation rulesCreating an automation ruleTesting an automation ruleSummary
Chapter 8: Responding to Incidents Using Automation
Automating responses to incidentsBlocking a user upon suspicious sign-inCreating a playbookTesting a playbookIsolating a machine upon new malware detectionCreating a playbookTesting a playbookSummary
Chapter 9: Mastering Microsoft Sentinel Automation: Tips and Tricks
Best practices for working with dynamic content and expressionsUnderstanding the HTTP action and its usageElements of the HTTP actionUtilizing the HTTP actionApplying API permissions to a managed identityExploring more playbook actionsSwitchSelect and Create HTML tableComposeParse JSONSummary
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare your thoughtsDownload a free PDF copy of this book

Overview

In "Security Orchestration, Automation, and Response for Security Analysts", you'll explore key insights into the SOAR platform and its capabilities. From understanding the fundamentals of SOAR to mastering automation techniques with tools like Microsoft Sentinel and Splunk SOAR, this book equips security analysts with the knowledge and tools they need to optimize threat visibility and incident response.

What this Book will help me do

Master SOAR fundamentals to streamline security operations.
Design automated workflows to handle incidents efficiently.
Explore contextualized usage of tools like Google Chronicle SOAR.
Optimize threat intelligence collection and threat hunting processes.
Apply best-practices to real-world automation and incident management.

Author(s)

Benjamin Kovacevic is a seasoned cybersecurity expert with extensive experience in Security Orchestration, Automation, and Response. His practical approach combines technical depth with a knack for simplifying complex concepts. Kovacevic brings years of experience in SOC operations to guide his readers toward enhanced security methodologies.

Who is it for?

This book is tailor-made for SOC analysts, junior engineers in cybersecurity, and DevSecOps professionals who aim to enhance their technical automation skills and improve organizational security. Whether you're a cybersecurity beginner looking to get started with SOAR or an experienced professional seeking advanced techniques, this book offers actionable insights and tools for every skill level.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Open-Source Security Operations Center (SOC)

Publisher Resources

ISBN: 9781803242910

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills